U.S. patent number 6,742,040 [Application Number 09/497,886] was granted by the patent office on 2004-05-25 for firewall for controlling data transfers between networks based on embedded tags in content description language.
This patent grant is currently assigned to Intel Corporation. Invention is credited to James E. Toga.
United States Patent |
6,742,040 |
Toga |
May 25, 2004 |
**Please see images for:
( Certificate of Correction ) ** |
Firewall for controlling data transfers between networks based on
embedded tags in content description language
Abstract
A method of controlling data transfer between a first and a
second computer network comprises parsing content description
language received from the first computer network to determine tag
information with the content description language. A completion
decision is made based on the tag information. For one embodiment,
the completion decision may include any of the following: full data
transfer between the two network, partial data transfer between the
two network, a deferred data transfer at a later time, or a cached
data transfer. Restrictions based upon a user's age, a user's
access right, cost, system resources, and time of day may also be
employed to limit the transfer of data based upon the tag
information.
Inventors: |
Toga; James E. (Portland,
OR) |
Assignee: |
Intel Corporation (Santa Clara,
CA)
|
Family
ID: |
25098778 |
Appl.
No.: |
09/497,886 |
Filed: |
February 4, 2000 |
Related U.S. Patent Documents
|
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
Issue Date |
|
|
773602 |
Dec 27, 1996 |
6041355 |
|
|
|
Current U.S.
Class: |
709/229;
707/E17.109; 707/999.009 |
Current CPC
Class: |
H04L
63/0245 (20130101); G06F 16/9535 (20190101); Y10S
707/99939 (20130101); H04L 69/329 (20130101) |
Current International
Class: |
G06F
17/30 (20060101); H04L 29/06 (20060101); H04L
29/08 (20060101); G06F 015/16 (); G06F
017/30 () |
Field of
Search: |
;714/37 ;707/104.1,9
;709/227,203,224,229,225 |
References Cited
[Referenced By]
U.S. Patent Documents
Other References
Graham, Ian S., HTML Source Book, Second Edition, A Complete Guide
to HTML 3.0, Wiley Computer Publishing, John Wiley & Sons, Inc.
New York, Chichester, Brisbane, Toronto, Singapore .COPYRGT. 1996,
Table Of Contents, Chapter 3--pp. 91-123; Chapter 6--pp. 351-375;
Chapter 7--pp. 377-417; Chapter 8--pp. 450. .
Comer, Douglas, E., Internetworking With TCP/IP, Vol 1: Principles,
Protocols, and Architecture, Fourth Edition, Prentice Hall, Inc.,
Upper Saddle River, New Jersey, 07458, .COPYRGT.2000, 1995 Prentice
Hall, pp. 150-154..
|
Primary Examiner: Wiley; David
Assistant Examiner: Delgado; Michael
Attorney, Agent or Firm: Blakely, Sokoloff, Taylor &
Zafman LLP
Parent Case Text
This is a Continuation of application Ser. No. 08/773,602, filed
Dec. 27, 1996, now U.S. Pat. No. 6,041,355.
Claims
What is claimed is:
1. A method of controlling transfer of data between a first network
of computers and a second network of computers, the method
comprising: parsing content description language received from the
first network of computers; determining tag information within the
parsed content description language, said tag information including
information available to the second network of computers; and
making a completion decision by the second network of computers as
to whether to allow the transfer of data based on the tag
information available to the second network of computers.
2. The method of claim 1 wherein the completion decision determines
whether the transfer is allowed to occur.
3. The method of claim 1 wherein the completion decision determines
whether only a partial transfer is allowed to occur.
4. The method of claim 3 wherein text but not pictures are allowed
to be transferred.
5. The method of claim 1 wherein the completion decision is based
upon a resource constraint of the second network of computers.
6. The method of claim 1 wherein the content description language
is HTML.
7. The method of claim 1 wherein the tag information includes a
pricetag for the transfer of data, and wherein the completion
decision is based upon the pricetag for the transfer of data.
8. A method of controlling transfer of data between a first network
of computers and a second network of computers, the method
comprising: parsing content description language data received from
the first network of computers to determine tag information
indicating a pricetag for subsequent transfers of said content
description language data to the second network of computers; and
allowing the subsequent transfers of the content description
language data to the second network of computers if the pricetag is
below a predetermined spending limit.
9. The method of claim 8 wherein a user connected to the second
network of computers requests the subsequent transfers of content
description language data and the predetermined spending limit is
associated with the user.
10. A method of controlling transfer of data between a first
network of computers and a second network of computers, the method
comprising: parsing content description language data received from
the first network of computers to determine tag information
indicating a size of subsequent transfers of said content
description language data to the second network of computers; and
disallowing the subsequent transfers of the content description
language data to the second network of computers if the size of the
subsequent transfers of content description language data
interferes with resource constraints of the second network of
computers.
11. The method of claim 10 wherein disallowing the subsequent
transfers of the content description language data is also based
upon time of day restrictions.
12. The method of claim 10 wherein the tag information indicates
that the subsequent transfers of content description language data
are entertainment-based.
13. A method of controlling transfer of data between a first
network of computers and a second network of computers, the method
comprising: parsing content description language data received from
the first network of computers to determine tag information about
subsequent transfers of said content description language data to
the second network of computers; and disallowing the subsequent
transfers of the content description language data to the second
network of computers based upon a time of day restriction specified
by the tag information.
14. The method of claim 13 wherein the tag information about
subsequent transfers indicates that the subsequent transfers of
content description language data are entertainment-based.
15. A method of controlling transfer of data between a first
network of computers and a second network of computers, the method
comprising: parsing content description language data received from
the first network of computers to determine tag information about
subsequent transfers of said content description language data to
the second network of computers; and disallowing the subsequent
transfers of the content description language data to the second
network of computers based upon age restrictions of a requestor of
the content description language data from the second network of
computers, wherein the age restrictions are specified by the tag
information.
16. The method of claim 1 wherein the completion decision allows a
transfer to be deferred until a later time.
17. The method of claim 1 wherein the completion decision allows a
transfer to be cached.
18. The method of claim 17 wherein the caching is based on tag
information.
19. The method of claim 8 further comprising: subtracting the
pricetag from a budget amount attributed to a user that requested
the subsequent transfers of the content description language
data.
20. A method, comprising: examining content description language
tags embedded within data from a first computer network and
criteria from a second computer network, wherein the examination
occurs on a proxy server; comparing the content description
language tags embedded within the data and the criteria, wherein
the comparison occurs on the proxy server; controlling whether the
transfer of data from the first computer network to the second
computer network is allowed based on a completion decision
resulting from the comparison of the content description language
tags embedded within the data and the criteria, wherein the
completion decision occurs on the proxy server.
21. The method of claim 20 wherein examining data from the first
computer network further comprises examining data from a cache.
22. The method of claim 20 wherein examining criteria from the
second computer network further comprises examining criteria from a
cache.
23. The method of claim 20 wherein comparing the data and the
criteria further comprises examining data and criteria from a
cache.
24. The method of claim 20 wherein examining data from the first
computer network further comprises examining data from a
database.
25. The method of claim 24 wherein examining data from a database
further comprises examining data from a cached database.
26. The method of claim 20 wherein examining criteria from the
second computer network further comprises examining criteria from a
database.
27. The method of claim 26 wherein examining criteria from a
database further comprises examining criteria from a cached
database.
28. The method of claim 20 wherein examining data from the first
computer network further comprises examining a content description
language tag.
29. The method of claim 20 wherein examining criteria from the
second computer network further comprises examining an acceptance
content description language tag.
30. The method of claim 20 wherein comparing the data and the
criteria further comprises comparing a content descriptor and an
acceptance content description language tag.
31. The method of claim 20 wherein comparing the data and the
criteria further comprises comparing a content descriptor and an
acceptance content description language tag.
32. The method of claim 20 wherein the completion decision further
comprises a content descriptor being within a set of an acceptance
content description language tag.
33. An apparatus, comprising: means for examining content
description language tags embedded within data from a first
computer network and criteria from a second computer network,
wherein the examination occurs on a proxy server; means for
comparing the content description language tags embedded within the
data and the criteria, wherein the comparison occurs on the proxy
server; means for controlling whether the transfer of data from the
first computer network to the second computer network is allowed
based on a completion decision resulting from the comparison of the
content description language tags embedded within the data and the
criteria, wherein the completion decision occurs on the proxy
server.
34. The apparatus of claim 33, wherein the means for examining data
further comprises means for parsing data to obtain tag
information.
35. The apparatus of claim 34, wherein the means for means for
comparing the data and the criteria further comprises means for
comparing the tag information and the criteria.
36. The apparatus of claim 33, wherein the means for examining
criteria further comprises means for retrieving criteria from the
second computer network database.
37. The apparatus of claim 33, wherein the means for comparing the
data and the criteria further comprises means for comparing data
from a cache and criteria from a cache.
38. An apparatus for controlling data transfers between a first
computer network and a second computer network, the apparatus
comprising: a proxy connected to the first computer network and the
second computer network; criteria coupled to the proxy; and a
parsing engine coupled to the second computer network and the
proxy, such that the criteria and the parsing engine control the
data transfers through the proxy by comparing the criteria to the
data's content description language tags.
39. The apparatus according to claim 38, wherein the coupling of
the criteria to the proxy is a database.
40. The apparatus according to claim 38, wherein the coupling of
the criteria to the proxy is a cache.
41. The apparatus according to claim 38, wherein the coupling of
the parsing engine to the proxy is a database.
42. The apparatus according to claim 41, wherein the database is a
cache.
43. The apparatus according to claim 41, wherein said database is
the result of the second computer network coupling to said parsing
engine.
44. The apparatus according to claim 38, wherein the proxy
comprises a computer.
Description
FIELD OF THE INVENTION
The present invention relates to the field of providing information
over a network. More particularly, this invention relates to
filtering data transferred between two networks based upon tags
indicative of the content of the data.
BACKGROUND OF THE INVENTION
The World Wide Web (WWW) is a fully multimedia-enabled hypertext
system used for navigating the Internet. WWW may cope with any type
of data which may be stored on computers, and may be used with an
Internet connection and a WWW browser. WWW is made up of millions
of interconnected pages or documents which can be displayed on a
computer or other interface to the WWW. Each page can have
connections to other pages which may be stored on any computer
connected to the Internet.
WWW is based on the concept of hypertext which is very similar to
ordinary text, except that for hypertext, connections to other
parts of the text or to other documents can be hidden behind words
and phrases. The connections to these hypertext are referred to as
hypertext links, and they allow the user to read the document in
any order desired. WWW also utilizes hypermedia which allows links
to connect to not only words but also with pictures, sounds and any
other data files which can be stored on a computer.
More specifically, hypermedia is a method of connecting data files
together regardless of their format. The hypermedia links held on a
given WWW page describes the location of the document which a WWW
browser should display by using a Uniform Resource Locator (URL).
URLs enable WWW browsers to go directly to any file held on any WWW
server. URL is a naming system, typically consisting of three
parts, the transfer format (also known as the protocol type), the
host name of the machine which holds the file (may also be referred
to as the WWW server name) and the path name to the file. The
transfer format for standard WWW pages is Hypertext Transfer
Protocol (HTTP). Standard Internet naming conventions are utilized
for the host name portion of the URL. UNIX* directory naming
conventions are utilized to indicate the path name of the file.
A firewall is used to separate one network of computers from
another. For example, a corporation that connects to the Internet
and WWW may install a firewall to prevent users outside the
corporation from accessing data stored on the computer network
within the corporation. Additionally, the firewall can prevent
users within the corporation from accessing data on the Internet
and WWW.
For example, a firewall may be configured to allow certain machines
to be reached and not others. The firewall may be further
programmed to allow certain applications to pass through the
firewall and to deny access to other applications. This provides a
secure, but coarse level of access control for corporate
Intranets.
A proxy sits on top of a firewall. A proxy looks at a higher level
of the data transfer. It is typically a process that responds and
acts on behalf of client requests. A proxy may be used to improve
performance by caching data from previous retrievals. A proxy may
look at the data requests from the users within the corporation and
prevent requests from being sent out which have a particular
keyword in the URL. This, for example, may be used to prevent the
retrieval of sexually explicit material from the Internet by
performing a search of the words of the URL in a dictionary having
particular banned keywords.
SUMMARY OF THE INVENTION
A method of controlling data transfer between a first network and a
second network of computers is described. Content description
language received from the first network by the second network is
parsed to determine tag information within the content description
language. The second network of computers makes a completion
decision as to whether to allow the transfer based on the tag
information.
These and other advantages of the present invention are fully
described in the following detailed description.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 is a block diagram of a firewall separating a first network
from a second network of computers.
FIG. 2 is an example indicating tags within content description
language.
FIG. 3 shows a flowchart of the steps taken using the present
invention.
DETAILED DESCRIPTION
A method of controlling data transfer between a first network and a
second network of computers is described. Content description
language, such as Hypertext Markup Language (HTML), received from
the first network by the second network is parsed to determine tag
information within the content description language. The second
network of computers makes a completion decision as to whether to
allow the transfer based on the tag information. The second network
of computers may allow complete transfer or partial transfer of the
data. The second network of computers may defer the transfer until
a later time, or it may cache the transfer to allow its clients to
access the data from this transfer without the need to retrieve the
data a second time from the first network. Various other completion
decisions based upon resource constraints, content based upon age,
and pricetag of the content are possible.
FIG. 1 is a block diagram of a firewall separating a first network
from a second network of computers. The first network, network A,
is the internet 10 which includes the World Wide Web and its many
web sites, such as web site 12.
Network A is coupled to Network B, which may be a corporate network
of computers, for example. In one embodiment, Network B comprises a
first filtering router 20, a web proxy 22, and a second filtering
router 24. Network B may also host many other client computers 30
connected to its network.
The filtering router 20 is connected to the Internet 10. The
filtering router 20 accepts only requests from the web proxy 22 for
retrieving data from the internet 10. The filtering router 20 also
only allows data received from the internet 10 to be provided to
the web proxy 22.
Similarly, the filtering router 24 is connected to the client
computers 30. The filtering router 24 accepts requests from the
client computers 30 only directed to the web proxy 22. The
filtering router 24 also only allows data from the web proxy 22 to
be provided to the client computers 30.
The web proxy 22 sits between the filtering routers 20 and 24.
Thus, the web proxy buffers the client computers 30 from accessing
the internet 10 directly. The web proxy is able to monitor all data
leaving network B and being retrieved from Network A.
In the prior art, the web proxy 22 receives a request via filtering
router 24 from one of its clients to retrieve data from the
internet. The web proxy requests the data from the internet which
is allowed to pass through the filtering router 20. When the data
is returned from the internet, the filtering router 20 allows the
data to be provided to the web proxy 22. The web proxy then
provides the data to the client 30 that requested the data.
In the present invention, the web proxy monitors the content
description language that was returned from the internet. The web
proxy looks at tags that indicate information about the content of
the data, as will be described further with reference to FIG. 2.
The web proxy then determines completion decisions as to whether to
allow the transfer of data based upon the tag information. For
example, the web proxy may allow complete transfer or partial
transfer of the data. It may defer the transfer until a later time,
or it may cache the transfer to allow its clients to access the
data from this transfer without the need to retrieve the data a
second time from the internet. Various other completion decisions
based upon resource constraints, content based upon age, and
pricetag of the content are possible, as will be described.
The web proxy 22 may be comprised of one or more computers.
Additionally, web proxy 22 may comprise other proxies which
communicate with the internet, such as mail proxies and ftp
proxies. Web proxy 22 processes the requests for data from the
client computers 30 and the data received from the internet 10.
FIG. 2 is an example indicating tags within content description
language. The tags are used for displaying the data in an
appropriate manner by the browser. Various multimedia abilities,
such as adding sound and hypertext links are possible through the
tags. Many tags are standardized so that all browsers will know how
to interpret the tags. Some browsers include proprietary tags which
improve the display of the content on their own browsers.
The present invention uses tags which can be used by the web proxy
to determine whether to allow subsequent data transfers of content
description language. The tags "cost", "embedded load", and
"content" are examples of new tags added to implement the present
intention.
Financial
In one embodiment of the invention, financial tags are included to
indicate the cost of the content of the subsequent data transfers
of content description language. For example, FIG. 2 includes the
tag "cost." The cost can be expressed in dollars or in other
units.
The web proxy is able to compare the cost of the content against a
spending limit of the user that requested the data. If the cost of
the content is higher than the spending limit, then the transfer
will be denied. The spending limit in this case may be per access,
or it may be a cumulative limit that is being exceeded.
Resource Constraints
In another embodiment, the tags indicate either the size or a rate
of transfer of the subsequent data transfers of content description
language. For example, FIG. 2 includes the tag "embedded load" that
indicates a streaming rate of transfer of subsequent data transfers
of content description language. During certain times of the day
the Network B may disallow transfer of files over a specified size,
or may prevent the transfer of streaming files greater than a
specified rate of transfer. At other times of the day, these
transfers will be allowed. These restrictions are often based upon
resource constraints of the network during peak hours during which
normal business over the Network B would become too slow without
the restrictions.
Certain users, however, may be allowed access to files of any size
or data transfer rate at any time of the day. The web proxy uses
these access rights to appropriately determine completion actions
whether to allow the transfer.
Miscellaneous Content Restrictions
Other predetermined tag information that can be used by the web
proxy to make completion decisions include content restrictions
based upon sexual or violent content. The web proxy includes
information about the users on its client systems which allows the
web proxy to determine whether certain users should be allowed to
access the subsequent data transfers of content description
language.
FIG. 3 shows a flowchart of the steps taken using the present
invention. The flowchart starts at block 60 from which it continues
at block 62. At block 62, content description language received
from the first network of computers is parsed by the second network
of computers to determine tag information within the content
description language. Operation continues at block 64 at which a
completion decision is made by the second network of computers as
to whether to allow the transfer of data based on the tag
information. The flowchart terminates at block 66.
The completion decision may be based upon various constraints of
the networks and access rights of the requesting clients. These
constraints may include, but is not limited to, financial
constraints, resource constraints, age restrictions, user
restrictions, and time of day restrictions.
In the foregoing specification, the invention has been described
with reference to specific exemplary embodiments thereof. It will,
however be evident that various modifications and changes may be
made thereto without departing from the broader spirit and scope of
the invention as set forth in the appended claims. The
specification and drawings are, accordingly, to be regarded in an
illustrative rather than a restrictive sense.
* * * * *